Boka revatsvakurudzi rakaratidza a Linux rootkit inonzi Singularity iyo inokwanisa kuenda isingaonekwe neElastic Security EDR, ichiratidza zvipimo zvakakosha mukuonekwa kwekernel-level. Ichi chiratidzo chepfungwa hachingori dzidziso chete: Inobatanidza maitiro ekubfuscation uye kunzvenga. kudzikisa kusvika zero masaini ayo anowanzo tengesa yakaipa module.
Kuwanikwa kwacho kunonetsa zvikwata zveEuropean kuchengetedza, kusanganisira muSpain, nekuti Elastic inowanzo konzeresa zvinopfuura makumi maviri nematanhatu chenjedzo kupesana neakajairwa rootkits, uye mune iyi kesi, ivo havana kukonzeresa. Tsvagiridzo, yakatsikiswa zvinangwa zvekudzidzisa na0xMatheuZ, inoratidza kuti iyo siginecha- uye pateni-yakavakirwa nzira Vanotadza kurwisa vavengi vanonatsa mainjiniya avo.
Maitiro ekupfuura Elastic EDR: makiyi ekunzvenga matekiniki
Singularity's first advantage is the unganidza-nguva tambo obfuscationZvimedu zvinonzwisa tsitsi (semuenzaniso, "GPL" kana "kallsyms_lookup_name") kuita machunks anogona kunzwisiswa nemuunganidzi weC. otomatiki recomposeskudzivirira ma scanner senge YARA kubva pakutsvaga tambo dzakaipa dzinoenderera pasina kupa basa.
Mukuwirirana kunoshanda randomization yemazita ezviratidzoPanzvimbo pezviziviso zvinozivikanwa senge hook_getdents kana hide_module, inotora ma tag egeneric ane prefixes iyo. Vanotevedzera kernel pachayo. (sys, kern, dev), kusvibisa nzira yeanofungidzirwa mabasa uye kubvisira mazita-akavakirwa kucherechedzwa mitemo.
The next move is the module kupatsanurwa muzvidimbu zvakavharidzirwa zvinounganidzwa zvakare mundangariro. Zvimedu zvakaiswa encoded neXOR uye mutakuri anoshandisa memfd_create kudzivirira kusiya zvakasara pa diski; pakuipinza, inoshandisa yakananga system inofona (kusanganisira finit_module) uchishandisa inline assembler, dodging libc wrappers inotariswa nevakawanda EDRs.
Iyo zvakare inovhara ftrace anobatsira: anowanzo tariswa mabasa (senge fh_install_hook kana fh_remove_hook) ari rename nenzira ye deterministic nezviziviso zvisina kujairika, kuchengetedza maitiro avo asi kutyora Elastic siginicha yakanangana negeneric rootkits.
Padanho rekuita, vaongorori vanotenderedza reverse shell mitemo nekutanga kunyora payload ku diski vobva vaita nayo. "Kuchenesa" mitsetse yemirairoUyezve, iyo rootkit inobva yavanza maitiro ekumhanya uchishandisa chaiwo masaini, kuomesa kuwirirana. pakati pezviitiko nebasa chairo.
Rootkit kugona uye njodzi kune nharaunda dzeEurope
Kupfuura kunzvenga, Singularity inosanganisira zvinogumbura mabasa: inogona viga maitiro mukati /proc, kuviga mafaera nemadhairekitori ane chekuita nemapateni akadai se "umwe" kana "matheuz", uye kuvanza TCP kubatana (semuenzaniso, pachiteshi 8081). Inogonesawo ropafadzo kuwedzera kuburikidza masaini echinyakare kana akasiyana ezvakatipoteredza, uye inopa ICMP yekumashure inokwanisa kumisa magomba ari kure.
Iyo purojekiti inowedzera anti-analysis dziviriro, inovharira mitsetse uye sanitizing zvinyorwa kuderedza ruzha. Iyo loader inoumbwa zvakadzika uye inogona kushanda munzvimbo dzisina kutariswa, ichisimbisa ketani yekuuraya umo. iyo module yese haina kumbobata dhisiki Uye saka, static analysis inopera kunze kwezvinhu.
Kune masangano muSpain uye neEurope yese anovimba neElastic Defend, nyaya inovamanikidza kuongorora mitemo yekuona uye kusimbisa kutarisisa kwakaderera. Iko kusanganiswa kweobfuscation, kurodha ndangariro, uye yakananga syscalls inoburitsa pamusoro apo maitiro-akavakirwa kudzora ane mashoma. Ivo havatore kernel mamiriro.
Zvikwata zveSOC zvinofanirwa kuisa pamberi kernel kutendeseka kutarisa (semuenzaniso, LKM kusimbiswa uye dziviriro kubva pakurodha zvisina kutenderwa), batanidza ndangariro forensics uye eBPF chiratidzo chekubatana ne system telemetry, uye shandisa dziviriro pakadzika inosanganisa heuristics, whitelists, kuomesa uye kuenderera mberi nekuvandudzwa kwemasaini.
Munzvimbo dzakaoma, zvinokurudzirwa kusimbisa mitemo yekudzikisa nzvimbo yekurwisa: kumisa kana kudzima kugona kurodha ma module, kusimbisa mitemo yekuchengetedza, uye. kugona (CAP_SYS_MODULE)Tarisa kushandiswa kwe memfd_create uye simbisa kusakanganiswa mumazita echiratidzo. Zvose izvi pasina kuvimba chete EDR, asi nekubatanidza akawanda akaturikidzana ekudzora uye cross-checks.
Mhosva yeSingularity inoratidza kuti, vakatarisana nemhandu vanogonesa kubvongodza kwavo, vadziviriri vanofanirwa kusimuka vakananga. maitiro ekuongorora zvakadzama uye orchestrated. Kuvimbika kwe kernel kutyisidzira kunosanganisira kuwedzera kuvimbika, ndangariro, uye hukama hwepamberi kuEDR kuderedza mapofu uye kusimudza bhara rekusimba.